CVE-2026-52963

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Bound MIDI endpoint descriptor scans

snd usbmidi get ms info() validates the internal MIDIStreaming endpoint descriptor size before using baAssocJackID[], but the descriptor walker can still return a class-specific endpoint descriptor whose bLength exceeds the remaining bytes in the endpoint-extra scan.

That leaves later flexible-array reads bounded by bLength, but not by the remaining bytes in the endpoint-extra scan.

Stop walking when bLength is zero or extends past the remaining endpoint-extra scan.